New Cybersecurity Threat Targets Mac Users With Fake Updates

Cybersecurity researchers have uncovered two new cybercriminal groups, TA2726 and TA2727, responsible for launching a growing wave of online attacks, including fake update scams and malware targeting Mac, Windows, and Android devices.

The attacks, which involve injecting malicious code into legitimate websites, trick users into downloading harmful software, are becoming more widespread.

Proofpoint, a cybersecurity research team, published today an update about the increased frequency of these “web inject” campaigns, which aim to infect users by redirecting them to compromised sites that seem trustworthy.

Web injects typically involve malicious scripts that run when a user visits a compromised website. These scripts can force the website to display fake update notifications, tricking the user into clicking on a fraudulent update that installs malware.

This type of attack has become increasingly difficult to track due to multiple actors using the same method and collaborating with one another.

Historically, the group TA569 was well-known for using fake updates as a way to infect users with malware, but in 2023, several groups, including TA2726 and TA2727, began using similar tactics, as explained by Proofpoint.

These actors distribute malware through compromised websites rather than email campaigns, which makes detecting the attacks more challenging.

TA2726, for example, functions as a “traffic distributor,” redirecting users to various malware campaigns. This group works with financially motivated actors like TA569 and TA2727, who take advantage of compromised websites to spread malware. Proofpoint’s investigation revealed that since September 2022, TA2726 has been a key player in these attacks.

On the other hand, TA2727 focuses on delivering various types of malware, including an information stealer called FrigidStealer, which targets Mac users.

Proofpoint notes that in early 2025, researchers observed this malware in campaigns aimed at both Windows and Mac computers. For Mac users, the attack redirects them to a fake update page, where clicking the “Update” button downloads malware disguised as a legitimate browser update.

FrigidStealer collects sensitive information like passwords, cookies, and files related to cryptocurrency. The malware then sends this data to the cybercriminals responsible for the attack, as explained by the researchers.

While Mac users are less common in corporate environments than Windows users, these attacks are growing in frequency.

Experts recommend strong cybersecurity practices to protect against these threats, including using endpoint protection, training employees to recognize suspicious activity, and avoiding clicking on untrusted update notifications.